AI compliance, mapped to evidence

23 NYCRR Part 500 applies to AI used by covered financial entities. Prism produces the evidence each section asks for, and Prism X covers third-party AI tool risk.

The NAIC Model Bulletin sets expectations for insurer use of AI. Prism produces the documentation, monitoring, and audit artifacts each pillar requires.

The CFPB has confirmed ECOA and Reg B apply to AI-driven credit decisions. Adverse-action notices need specific reasons. Prism Agent Trajectories and Model Audits produce them.

The interagency Revised Guidance on Model Risk Management supersedes SR 11-7 and SR 21-8. The three-pillar discipline carries forward, scaled to each bank's model risk profile. Prism produces the evidence at every tier.

AI involved in earnings, forecasting, or estimation is in scope for Section 404. Prism produces the change-management and operating-effectiveness evidence external auditors expect.

Each NIST AI RMF function has subcategories that demand evidence. Prism produces it: from MEASURE-2.7 trace logs to MANAGE-2.1 adversarial test results.

The EU AI Act's high-risk category includes credit, employment, and insurance scoring. Prism is built to satisfy the logging, transparency, and oversight articles.

ISO 42001 is the first auditable management-system standard for AI. Prism produces the operational evidence each clause asks an internal auditor to see.

DORA treats AI systems as ICT services. Operational resilience, incident reporting, and third-party register obligations all apply. Prism produces the evidence.

GDPR doesn't change for AI: lawful basis, minimization, and the right to explanation still apply. Prism produces the records each Article expects.

PHI cannot reach a model uncontrolled. Prism redacts it before storage; Prism X blocks it before it leaves the employee browser.

PAN, CVV, and track data must never reach an LLM unscrubbed. Prism Guardrails strip them at ingestion; Prism X stops employees from pasting them into ChatGPT.